0.5 percent of all Microsoft accounts are taken by cybercriminals each month, according to new research. These bad actors can hijack 0.5% because of a lack of multi-factor authentication (MFA) amongst Microsoft account users.

While 0.5% may seem insignificant, it amounts to over one million Microsoft accounts taken by cybercriminals.

At the recent RSA Security Conference, director of Identity Security Alex Weinert said there were 1.2 million hijacked accounts in January. His presentation at the conference has been uploaded to YouTube and shows 99.9% of compromised accounts did not have MFA.

In other words, if an account uses MFA, it will likely be protected from being compromised. For those accounts without MFA, there are two defining factors that make them easy to attack: holders of these accounts don’t usually update their password and use legacy protocols.

A legacy protocols such as SMTP, IMAP, or POP don’t offer MFA tools and make the password the only step a bad actor needs to bypass.

Easy Access

Weinert points out that 40% (480,000 accounts) were simply compromised by a standard password spraying method during January. Attackers would try to sign in across a vast number of accounts with some statistically likely passwords. Nearly half a million got a hit.

Password reuse is a major problem and a major indicator of a compromised account. Interestingly, users who reuse passwords will even use credentials from enterprise accounts on other services. These people will also use the same password across multiple platforms.

Weinert points out the mitigation is simple, stop reusing passwords and ditch legacy protocols. Getting the message across and convincing users to act is the tricky part.